事前準備
約束條件架構
gcloud beta terraform vet 會使用 Constraint Framework 政策,其中包含限制和限制範本。兩者之間的差異如下:
- 限制範本就像函式宣告一樣,會在 Rego 中定義規則,並可選擇採用輸入參數。
- 限制是參照限制範本的檔案,並定義要傳遞至該範本的輸入參數,以及政策涵蓋的資源。
這樣一來,您就能避免重複作業。您可以使用一般政策編寫限制範本,然後編寫任意數量的限制,提供不同的輸入參數或不同的資源比對規則。
CAI 資產與 Terraform 資源
Cloud Asset Inventory 資產是標準的 Google 資料匯出格式,可用於許多 Google Cloud 資源。通常只有在建立或更新資源後,才能取得 CAI 資料。不過,只要將 Terraform 資源變更內容轉換為 CAI Asset 資料,gcloud beta terraform vet 就會讓您一次編寫政策,並在套用前使用這項政策,以及透過相容工具進行稽核檢查。
相容工具
以下工具並非 Google 官方產品,因此不受支援。不過,這些政策可能與以下為 gcloud beta terraform vet 編寫的政策相容:
建立限制範本
開發限制範本前,請先確認您要為其編寫政策的資產,同時支援 Cloud Asset Inventory 和 gcloud beta terraform vet。
建立限制範本的步驟如下:
- 收集範例資料。
- 編寫 Rego。
- 測試 Rego。
- 設定限制範本骨架。
- 將 Rego 加入行內。
- 設定限制條件。
收集範例資料
如要編寫限制範本,您需要有可操作的樣本資料。以 CAI 為基礎的限制條件會套用於 CAI 資產資料。如CAI 快速入門指南所述,建立適當類型的資源並匯出為 JSON,即可收集範例資料。
以下是 Compute Address 的 JSON 匯出內容範例:
[
{
"name": "//compute.googleapis.com/projects/789/regions/us-central1/addresses/my-internal-address",
"asset_type": "compute.googleapis.com/Address",
"ancestors: [
"organization/123",
"folder/456",
"project/789"
],
"resource": {
"version": "v1",
"discovery_document_uri": "https://www.googleapis.com/discovery/v1/apis/compute/v1/rest",
"discovery_name": "Address",
"parent": "//cloudresourcemanager.googleapis.com/projects/789",
"data": {
"address": "10.0.42.42",
"addressType": "INTERNAL",
"name": "my-internal-address",
"region": "projects/789/global/regions/us-central1"
}
}
},
]
撰寫 Rego
取得範例資料後,您就可以在 Rego 中為限制範本編寫邏輯。Rego 必須包含 violations 規則。正在審查的素材資源會以 input.review 的形式提供。限制參數可用於 input.parameters。舉例來說,如要要求 compute.googleapis.com/Address 資產具有允許的 addressType,請輸入:
# validator/gcp_compute_address_address_type_allowlist_constraint_v1.rego
package templates.gcp.GCPComputeAddressAddressTypeAllowlistConstraintV1
violation[{
"msg": message,
"details": metadata,
}] {
asset := input.review
asset.asset_type == "compute.googleapis.com/Address"
allowed_address_types := input.parameters.allowed_address_types
count({asset.resource.data.addressType} & allowed_address_types) >= 1
message := sprintf(
"Compute address %s has a disallowed address_type: %s",
[asset.name, asset.resource.data.addressType]
)
metadata := {"asset": asset.name}
}
為限制範本命名
先前的範例使用 GCPComputeAddressAddressTypeAllowlistConstraintV1 這個名稱。這是每個約束條件範本的專屬 ID。建議您遵循下列命名規範:
- 一般格式:
GCP{resource}{feature}Constraint{version}。使用 CamelCase。換句話說,每個新字詞都必須大寫。 - 針對單一資源限制,請按照 gcloud 群組名稱命名資源。舉例來說,請使用「compute」取代「gce」,「sql」取代「cloud-sql」,以及「container-cluster」取代「gke」。
- 如果範本適用於多種資源類型,請省略資源部分,只包含功能 (例如「GCPAddressTypeAllowlistConstraintV1」)。
- 版本號碼不遵循 semver 格式,只是單一數字。這樣一來,每個範本版本都會成為獨立的範本。
建議您為 Rego 檔案使用與限制範本名稱相符的名稱,但請使用蛇形命名法。換句話說,請使用 _ 將名稱轉換為小寫字母分隔的字詞。在上述範例中,建議的檔案名稱為 gcp_compute_address_address_type_allowlist_constraint_v1.rego
測試 Rego
您可以使用 Rego Playground 手動測試 Rego。請務必使用非機密資料。
建議您編寫自動化測試。將收集到的範例資料放入 validator/test/fixtures/<constraint
filename>/assets/data.json,然後在測試檔案中參照這項資料,如下所示:
# validator/gcp_compute_address_address_type_allowlist_constraint_v1_test.rego
package templates.gcp.GCPComputeAddressAddressTypeAllowlistConstraintV1
import data.test.fixtures.gcp_compute_address_address_type_allowlist_constraint_v1_test.assets as assets
test_violation_with_disallowed_address_type {
parameters := {
"allowed_address_types": "EXTERNAL"
}
violations := violation with input.review as assets[_]
with input.parameters as parameters
count(violations) == 1
}
將 Rego 和測試放入政策程式庫的 validator 資料夾中。
設定限制範本骨架
完成測試並確保 Rego 規則運作無誤後,您必須將其封裝為限制範本。限制架構會使用 Kubernetes 自訂資源定義,做為 Rego 政策的容器。
限制範本也會使用 OpenAPI V3 結構定義允許從限制中輸入的參數。
請使用與 Rego 相同的骨架名稱。特別是:
- 請使用與 Rego 相同的檔案名稱。例如:
gcp_compute_address_address_type_allowlist_constraint_v1.yaml spec.crd.spec.names.kind必須包含範本名稱metadata.name必須包含範本名稱,但必須小寫
將限制範本骨架放入 policies/templates。
以上述範例來說:
# policies/templates/gcp_compute_address_address_type_allowlist_constraint_v1.yaml
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: gcpcomputeaddressaddresstypeallowlistconstraintv1
spec:
crd:
spec:
names:
kind: GCPComputeAddressAddressTypeAllowlistConstraintV1
validation:
openAPIV3Schema:
properties:
allowed_address_types:
description: "A list of address_types allowed, for example: ['INTERNAL']"
type: array
items:
type: string
targets:
- target: validation.gcp.forsetisecurity.org
rego: |
#INLINE("validator/gcp_compute_address_address_type_allowlist_constraint_v1.rego")
#ENDINLINE
內嵌 Rego
此時,按照先前的範例,目錄版面配置會如下所示:
| policy-library/
|- validator/
||- gcp_compute_address_address_type_allowlist_constraint_v1.rego
||- gcp_compute_address_address_type_allowlist_constraint_v1_test.rego
|- policies
||- templates
|||- gcp_compute_address_address_type_allowlist_constraint_v1.yaml
如果您複製了 Google 提供的政策程式庫存放區,可以執行 make build,自動更新 policies/templates 中的限制範本,並使用 validator 中定義的 Rego。
設定限制條件
限制包含 gcloud beta terraform vet 需要的三項資訊,才能正確執行並回報違規情形:
severity:low、medium或highmatch:用於判斷限制是否適用於特定資源的參數。支援下列比對參數:ancestries:要納入的祖系路徑清單,使用 glob 式比對excludedAncestries:(選用) 要排除的祖系路徑清單,使用 glob 樣式比對。
parameters:約束範本的輸入參數值。
請確認 kind 包含限制範本名稱。建議將 metadata.name 設為描述性短代碼。
舉例來說,如要只允許使用上述範例限制範本的 INTERNAL 地址類型,請編寫以下內容:
# policies/constraints/gcp_compute_address_internal_only.yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPComputeAddressAddressTypeAllowlistConstraintV1
metadata:
name: gcp_compute_address_internal_only
spec:
severity: high
match:
ancestries:
- "**"
parameters:
allowed_address_types:
- "INTERNAL"
比對結果示例:
| Ancestry 路徑比對器 | 說明 |
|---|---|
| organizations/** | 所有機構 |
| organizations/123/** | 機構 123 中的所有內容 |
| organizations/123/folders/** | 機構 123 中資料夾下的所有內容 |
| organizations/123/folders/456 | 機構 123 中資料夾 456 中的所有內容 |
| organizations/123/folders/456/projects/789 | 機構 123 的資料夾 456 中專案 789 的所有內容 |
如果資源位址與 ancestries 和 excludedAncestries 中的值相符,就會遭到排除。
限制
Terraform 企劃書資料可提供最佳可用表示法,用於呈現套用後的實際狀態。不過,在許多情況下,系統可能無法得知套用後的狀態,因為系統是在伺服器端計算這項資訊。在這種情況下,轉換後的 CAI 素材資源中也不會有資料。
驗證政策時,建立 CAI 祖系路徑是其中的一部分。它會使用提供的預設專案,以便處理不明的專案 ID。如果未提供預設專案,祖系路徑會預設為 organizations/unknown。
如要禁止不明祖系,請新增下列限制條件:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: GCPAlwaysViolatesConstraintV1
metadata:
name: disallow_unknown_ancestry
annotations:
description: |
Unknown ancestry is not allowed; use --project=<project> to set a
default ancestry
spec:
severity: high
match:
ancestries:
- "organizations/unknown"
parameters: {}
支援的資源
如果您希望 gcloud beta terraform vet 為不在這個清單中的資源新增支援功能,請提出功能強化要求,並考慮提供程式碼。
支援的資源清單會因安裝的 gcloud beta terraform vet 版本而異。以下是目前支援的資源清單:
| Terraform 資源 | Cloud Asset Inventory 資產 |
|---|---|
| google_access_context_manager_access_policy_iam_binding | accesscontextmanager.googleapis.com/AccessPolicy |
| google_access_context_manager_access_policy_iam_member | accesscontextmanager.googleapis.com/AccessPolicy |
| google_access_context_manager_access_policy_iam_policy | accesscontextmanager.googleapis.com/AccessPolicy |
| google_access_context_manager_service_perimeter | accesscontextmanager.googleapis.com/ServicePerimeter |
| google_apigee_environment_iam_binding | apigee.googleapis.com/Environment |
| google_apigee_environment_iam_member | apigee.googleapis.com/Environment |
| google_apigee_environment_iam_policy | apigee.googleapis.com/Environment |
| google_bigquery_dataset | bigquery.googleapis.com/Dataset |
| google_bigquery_dataset_iam_binding | bigquery.googleapis.com/Dataset |
| google_bigquery_dataset_iam_member | bigquery.googleapis.com/Dataset |
| google_bigquery_dataset_iam_policy | bigquery.googleapis.com/Dataset |
| google_bigquery_table | bigquery.googleapis.com/Table |
| google_bigquery_table_iam_binding | bigquery.googleapis.com/Table |
| google_bigquery_table_iam_member | bigquery.googleapis.com/Table |
| google_bigquery_table_iam_policy | bigquery.googleapis.com/Table |
| google_bigtable_instance | bigtableadmin.googleapis.com/Cluster、bigtableadmin.googleapis.com/Instance |
| google_binary_authorization_attestor_iam_binding | binaryauthorization.googleapis.com/Attestor |
| google_binary_authorization_attestor_iam_member | binaryauthorization.googleapis.com/Attestor |
| google_binary_authorization_attestor_iam_policy | binaryauthorization.googleapis.com/Attestor |
| google_cloud_run_domain_mapping | run.googleapis.com/DomainMapping |
| google_cloud_run_service | run.googleapis.com/Service |
| google_cloud_run_service_iam_binding | run.googleapis.com/Service |
| google_cloud_run_service_iam_member | run.googleapis.com/Service |
| google_cloud_run_service_iam_policy | run.googleapis.com/Service |
| google_cloudfunctions_function | cloudfunctions.googleapis.com/CloudFunction |
| google_cloudfunctions_function_iam_binding | cloudfunctions.googleapis.com/CloudFunction |
| google_cloudfunctions_function_iam_member | cloudfunctions.googleapis.com/CloudFunction |
| google_cloudfunctions_function_iam_policy | cloudfunctions.googleapis.com/CloudFunction |
| google_compute_address | compute.googleapis.com/Address |
| google_compute_backend_service_iam_binding | compute.googleapis.com/BackendService |
| google_compute_backend_service_iam_member | compute.googleapis.com/BackendService |
| google_compute_backend_service_iam_policy | compute.googleapis.com/BackendService |
| google_compute_disk | compute.googleapis.com/Disk |
| google_compute_disk_iam_binding | compute.googleapis.com/Disk |
| google_compute_disk_iam_member | compute.googleapis.com/Disk |
| google_compute_disk_iam_policy | compute.googleapis.com/Disk |
| google_compute_firewall | compute.googleapis.com/Firewall |
| google_compute_forwarding_rule | compute.googleapis.com/ForwardingRule |
| google_compute_global_address | compute.googleapis.com/GlobalAddress |
| google_compute_global_forwarding_rule | compute.googleapis.com/GlobalForwardingRule |
| google_compute_image_iam_binding | compute.googleapis.com/Image |
| google_compute_image_iam_member | compute.googleapis.com/Image |
| google_compute_image_iam_policy | compute.googleapis.com/Image |
| google_compute_instance | compute.googleapis.com/Instance |
| google_compute_instance_iam_binding | compute.googleapis.com/Instance |
| google_compute_instance_iam_member | compute.googleapis.com/Instance |
| google_compute_instance_iam_policy | compute.googleapis.com/Instance |
| google_compute_network | compute.googleapis.com/Network |
| google_compute_region_backend_service_iam_binding | compute.googleapis.com/RegionBackendService |
| google_compute_region_backend_service_iam_member | compute.googleapis.com/RegionBackendService |
| google_compute_region_backend_service_iam_policy | compute.googleapis.com/RegionBackendService |
| google_compute_region_disk_iam_binding | compute.googleapis.com/RegionDisk |
| google_compute_region_disk_iam_member | compute.googleapis.com/RegionDisk |
| google_compute_region_disk_iam_policy | compute.googleapis.com/RegionDisk |
| google_compute_security_policy | compute.googleapis.com/SecurityPolicy |
| google_compute_snapshot | compute.googleapis.com/Snapshot |
| google_compute_ssl_policy | compute.googleapis.com/SslPolicy |
| google_compute_subnetwork | compute.googleapis.com/Subnetwork |
| google_compute_subnetwork_iam_binding | compute.googleapis.com/Subnetwork |
| google_compute_subnetwork_iam_member | compute.googleapis.com/Subnetwork |
| google_compute_subnetwork_iam_policy | compute.googleapis.com/Subnetwork |
| google_container_cluster | container.googleapis.com/Cluster |
| google_container_node_pool | container.googleapis.com/NodePool |
| google_data_catalog_entry_group_iam_binding | datacatalog.googleapis.com/EntryGroup |
| google_data_catalog_entry_group_iam_member | datacatalog.googleapis.com/EntryGroup |
| google_data_catalog_entry_group_iam_policy | datacatalog.googleapis.com/EntryGroup |
| google_data_catalog_tag_template_iam_binding | datacatalog.googleapis.com/TagTemplate |
| google_data_catalog_tag_template_iam_member | datacatalog.googleapis.com/TagTemplate |
| google_data_catalog_tag_template_iam_policy | datacatalog.googleapis.com/TagTemplate |
| google_dns_managed_zone | dns.googleapis.com/ManagedZone |
| google_dns_policy | dns.googleapis.com/Policy |
| google_endpoints_service_consumers_iam_binding | servicemanagement.googleapis.com/ServiceConsumers |
| google_endpoints_service_consumers_iam_member | servicemanagement.googleapis.com/ServiceConsumers |
| google_endpoints_service_consumers_iam_policy | servicemanagement.googleapis.com/ServiceConsumers |
| google_endpoints_service_iam_binding | servicemanagement.googleapis.com/Service |
| google_endpoints_service_iam_member | servicemanagement.googleapis.com/Service |
| google_endpoints_service_iam_policy | servicemanagement.googleapis.com/Service |
| google_filestore_instance | file.googleapis.com/Instance |
| google_folder_iam_binding | cloudresourcemanager.googleapis.com/Folder |
| google_folder_iam_member | cloudresourcemanager.googleapis.com/Folder |
| google_folder_iam_policy | cloudresourcemanager.googleapis.com/Folder |
| google_folder_organization_policy | cloudresourcemanager.googleapis.com/Folder |
| google_healthcare_consent_store_iam_binding | healthcare.googleapis.com/ConsentStore |
| google_healthcare_consent_store_iam_member | healthcare.googleapis.com/ConsentStore |
| google_healthcare_consent_store_iam_policy | healthcare.googleapis.com/ConsentStore |
| google_iap_tunnel_iam_binding | iap.googleapis.com/Tunnel |
| google_iap_tunnel_iam_member | iap.googleapis.com/Tunnel |
| google_iap_tunnel_iam_policy | iap.googleapis.com/Tunnel |
| google_iap_tunnel_instance_iam_binding | iap.googleapis.com/TunnelInstance |
| google_iap_tunnel_instance_iam_member | iap.googleapis.com/TunnelInstance |
| google_iap_tunnel_instance_iam_policy | iap.googleapis.com/TunnelInstance |
| google_iap_web_iam_binding | iap.googleapis.com/Web |
| google_iap_web_iam_member | iap.googleapis.com/Web |
| google_iap_web_iam_policy | iap.googleapis.com/Web |
| google_kms_crypto_key | cloudkms.googleapis.com/CryptoKey |
| google_kms_crypto_key_iam_binding | cloudkms.googleapis.com/CryptoKey |
| google_kms_crypto_key_iam_member | cloudkms.googleapis.com/CryptoKey |
| google_kms_crypto_key_iam_policy | cloudkms.googleapis.com/CryptoKey |
| google_kms_key_ring | cloudkms.googleapis.com/KeyRing |
| google_kms_key_ring_iam_binding | cloudkms.googleapis.com/KeyRing |
| google_kms_key_ring_iam_member | cloudkms.googleapis.com/KeyRing |
| google_kms_key_ring_iam_policy | cloudkms.googleapis.com/KeyRing |
| google_monitoring_alert_policy | monitoring.googleapis.com/AlertPolicy |
| google_monitoring_notification_channel | monitoring.googleapis.com/NotificationChannel |
| google_notebooks_instance_iam_binding | notebooks.googleapis.com/Instance |
| google_notebooks_instance_iam_member | notebooks.googleapis.com/Instance |
| google_notebooks_instance_iam_policy | notebooks.googleapis.com/Instance |
| google_notebooks_runtime_iam_binding | notebooks.googleapis.com/Runtime |
| google_notebooks_runtime_iam_member | notebooks.googleapis.com/Runtime |
| google_notebooks_runtime_iam_policy | notebooks.googleapis.com/Runtime |
| google_organization_iam_binding | cloudresourcemanager.googleapis.com/Organization |
| google_organization_iam_custom_role | iam.googleapis.com/Role |
| google_organization_iam_member | cloudresourcemanager.googleapis.com/Organization |
| google_organization_iam_policy | cloudresourcemanager.googleapis.com/Organization |
| google_organization_policy | cloudresourcemanager.googleapis.com/Organization |
| google_privateca_ca_pool_iam_binding | privateca.googleapis.com/CaPool |
| google_privateca_ca_pool_iam_member | privateca.googleapis.com/CaPool |
| google_privateca_ca_pool_iam_policy | privateca.googleapis.com/CaPool |
| google_privateca_certificate_template_iam_binding | privateca.googleapis.com/CertificateTemplate |
| google_privateca_certificate_template_iam_member | privateca.googleapis.com/CertificateTemplate |
| google_privateca_certificate_template_iam_policy | privateca.googleapis.com/CertificateTemplate |
| google_project | cloudbilling.googleapis.com/ProjectBillingInfo、cloudresourcemanager.googleapis.com/Project |
| google_project_iam_binding | cloudresourcemanager.googleapis.com/Project |
| google_project_iam_custom_role | iam.googleapis.com/Role |
| google_project_iam_member | cloudresourcemanager.googleapis.com/Project |
| google_project_iam_policy | cloudresourcemanager.googleapis.com/Project |
| google_project_organization_policy | cloudresourcemanager.googleapis.com/Project |
| google_project_service | serviceusage.googleapis.com/Service |
| google_pubsub_lite_reservation | pubsublite.googleapis.com/Reservation |
| google_pubsub_lite_subscription | pubsublite.googleapis.com/Subscription |
| google_pubsub_lite_topic | pubsublite.googleapis.com/Topic |
| google_pubsub_schema | pubsub.googleapis.com/Schema |
| google_pubsub_subscription | pubsub.googleapis.com/Subscription |
| google_pubsub_subscription_iam_binding | pubsub.googleapis.com/Subscription |
| google_pubsub_subscription_iam_member | pubsub.googleapis.com/Subscription |
| google_pubsub_subscription_iam_policy | pubsub.googleapis.com/Subscription |
| google_pubsub_topic | pubsub.googleapis.com/Topic |
| google_pubsub_topic_iam_binding | pubsub.googleapis.com/Topic |
| google_pubsub_topic_iam_member | pubsub.googleapis.com/Topic |
| google_pubsub_topic_iam_policy | pubsub.googleapis.com/Topic |
| google_redis_instance | redis.googleapis.com/Instance |
| google_secret_manager_secret_iam_binding | secretmanager.googleapis.com/Secret |
| google_secret_manager_secret_iam_member | secretmanager.googleapis.com/Secret |
| google_secret_manager_secret_iam_policy | secretmanager.googleapis.com/Secret |
| google_spanner_database | spanner.googleapis.com/Database |
| google_spanner_database_iam_binding | spanner.googleapis.com/Database |
| google_spanner_database_iam_member | spanner.googleapis.com/Database |
| google_spanner_database_iam_policy | spanner.googleapis.com/Database |
| google_spanner_instance | spanner.googleapis.com/Instance |
| google_spanner_instance_iam_binding | spanner.googleapis.com/Instance |
| google_spanner_instance_iam_member | spanner.googleapis.com/Instance |
| google_spanner_instance_iam_policy | spanner.googleapis.com/Instance |
| google_sql_database | sqladmin.googleapis.com/Database |
| google_sql_database_instance | sqladmin.googleapis.com/Instance |
| google_storage_bucket | storage.googleapis.com/Bucket |
| google_storage_bucket_iam_binding | storage.googleapis.com/Bucket |
| google_storage_bucket_iam_member | storage.googleapis.com/Bucket |
| google_storage_bucket_iam_policy | storage.googleapis.com/Bucket |
| google_vpc_access_connector | vpcaccess.googleapis.com/Connector |